OpenSSL update creates new critical flaw

One of the patches for an OpenSSL memory corruption flaw released last week created a dangling pointer flaw.

The OpenSSL Project released a critical patch for a new flaw created as a result of an update to the cryptography library.

OpenSSL announced an update last week that fixed 14 flaws. However, a patch for a memory corruption flaw (CVE-2016-6307) in the open-source library created a dangling pointer flaw (CVE-2016-6309).

OpenSSL released a patch for the new flaw on Monday. The critical vulnerability was disclosed by Google ‎information security engineer Robert Święcki.

“The patch applied to address CVE-2016-6307 resulted in an issue where if a message larger than approx 16k is received then the underlying buffer to store the incoming message is reallocated and moved,” the security advisory stated. “Unfortunately a dangling pointer to the old location is left which results in an attempt to write to the previously freed location.”

A recent report highlighted the difficulties faced by enterprises patching open source software and noted a rising number of attacks that were the result of software vendors being slow to update open source components in commercial software.

Get SC Media delivered to your inbox

Whitepaper of the Day

Newswire

Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.